1. Field of the Invention
Embodiments of the invention generally relate to digital identity management. More specifically, this disclosure relates to a method and apparatus for accepting a digital identity of a user based on transitive trust among parties.
2. Description of the Related Art
In a computer network, such as the Internet, users typically transmit personal and confidential information at the behest of a particular application or service. In some cases, such confidential information may be stored by a remote host for later access by the users. The applications typically authenticate the users prior to accepting the confidential information or allowing access to such information. One well-known scenario for authentication involves the transmission of a username and password over the network to an application, such as web site on the Internet. Another recent, more secure mechanism for authentication involves the use of a digital identity. When transmitted over a network, a digital identity is represented by a security token (also referred to as a token). A token includes one or more claims, each of which includes some part of the total information conveyed by the digital identity. For example, a token may include claims for a username, a password, credit card numbers, and/or a myriad of other types of information.
Some digital identity management systems provide for two types of digital identities: self-asserted identities and managed identities. To distinguish between the two types of identities, it is useful to define three distinct roles. A user is the entity that is associated with the digital identity. An identity provider is an entity that provides a digital identity for a user. A relying party is an entity that in some way relies on the digital identity. For example, the relying party may use the digital identity to authenticate the user. A self-asserted identity is one where the user and the identity provider are one and the same. For example, if a user is creating an account at an online provider, such as AMAZON.COM, than the user is creating his or her own identity (e.g., a username and password). A managed identity is a stronger form of digital identity in that the information is backed by a third party and hence is assumed to be more trustworthy. That is, an identity provider external to the user provides the digital identity to the user.
For a self-asserted identity, a relying party must use its own processes to validate the user and his or her self-asserted claims and thus the relying party incurs the cost of validation. For a managed identity, the user is typically required to pay direct or indirect fees for obtaining the identity from an identity provider. In addition, the relying party must know the identity provider and be aware of the identity provider's policies before accepting a managed identity issued to the user. If not the user, the relying party is typically required to pay the identity provider for using its issued identities. Accordingly, there exists a need in the art for an identity management mechanism that reduces or eliminates the costs associated with the establishment and use of digital identities across users, relying parties, and identity providers.